mirror of
https://github.com/fluxcd/flagger.git
synced 2026-04-15 06:57:34 +00:00
ded722fb2d
Bumps the ci group with 1 update: [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). Updates `slsa-framework/slsa-github-generator` from 1.9.0 to 1.10.0 - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci ... Signed-off-by: dependabot[bot] <support@github.com>
150 lines
5.3 KiB
YAML
150 lines
5.3 KiB
YAML
name: release
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
workflow_dispatch:
|
|
inputs:
|
|
tag:
|
|
description: 'image tag prefix'
|
|
default: 'rc'
|
|
required: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
IMAGE: "ghcr.io/fluxcd/${{ github.event.repository.name }}"
|
|
|
|
jobs:
|
|
release-flagger:
|
|
outputs:
|
|
hashes: ${{ steps.slsa.outputs.hashes }}
|
|
runs-on:
|
|
group: "Default Larger Runners"
|
|
permissions:
|
|
contents: write # needed to write releases
|
|
id-token: write # needed for keyless signing
|
|
packages: write # needed for ghcr access
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: fluxcd/flux2/action@main
|
|
- uses: sigstore/cosign-installer@v3.4.0
|
|
- name: Prepare
|
|
id: prep
|
|
run: |
|
|
if [[ ${GITHUB_EVENT_NAME} = "workflow_dispatch" ]]; then
|
|
VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}"
|
|
else
|
|
VERSION=$(grep 'VERSION' pkg/version/version.go | awk '{ print $4 }' | tr -d '"')
|
|
fi
|
|
CHANGELOG="https://github.com/fluxcd/flagger/blob/main/CHANGELOG.md#$(echo $VERSION | tr -d '.')"
|
|
echo "[CHANGELOG](${CHANGELOG})" > notes.md
|
|
echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
|
|
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
|
|
- name: Setup QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
- name: Setup Docker Buildx
|
|
id: buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: fluxcdbot
|
|
password: ${{ secrets.GHCR_TOKEN }}
|
|
- name: Generate image meta
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: |
|
|
${{ env.IMAGE }}
|
|
tags: |
|
|
type=raw,value=${{ steps.prep.outputs.VERSION }}
|
|
- name: Publish image
|
|
id: build-push
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
sbom: true
|
|
provenance: true
|
|
push: true
|
|
builder: ${{ steps.buildx.outputs.name }}
|
|
context: .
|
|
file: ./Dockerfile
|
|
platforms: linux/amd64,linux/arm64,linux/arm/v7
|
|
build-args: |
|
|
REVISON=${{ github.sha }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
- name: Sign image
|
|
env:
|
|
COSIGN_EXPERIMENTAL: 1
|
|
run: |
|
|
cosign sign --yes ${{ env.IMAGE }}@${{ steps.build-push.outputs.digest }}
|
|
- name: Publish signed manifests to GHCR
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
env:
|
|
COSIGN_EXPERIMENTAL: 1
|
|
run: |
|
|
OCI_URL=$(flux push artifact \
|
|
oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \
|
|
--path="./kustomize" \
|
|
--source="$(git config --get remote.origin.url)" \
|
|
--revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)" \
|
|
--output json | \
|
|
jq -r '. | .repository + "@" + .digest')
|
|
cosign sign --yes ${OCI_URL}
|
|
- name: Publish Helm charts
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
uses: stefanprodan/helm-gh-pages@v1.7.0
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
charts_url: https://flagger.app
|
|
linting: off
|
|
- uses: fluxcd/pkg/actions/helm@main
|
|
with:
|
|
version: 3.12.3
|
|
- name: Publish signed Helm chart to GHCR
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
env:
|
|
COSIGN_EXPERIMENTAL: 1
|
|
run: |
|
|
helm package charts/flagger
|
|
helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts |& tee .digest
|
|
cosign sign --yes ghcr.io/fluxcd/charts/flagger@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}')
|
|
rm flagger-${{ steps.prep.outputs.VERSION }}.tgz
|
|
rm .digest
|
|
- uses: anchore/sbom-action/download-syft@v0
|
|
- name: Create release and SBOM
|
|
id: run-goreleaser
|
|
uses: goreleaser/goreleaser-action@v5
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
with:
|
|
version: latest
|
|
args: release --release-notes=notes.md --rm-dist --skip-validate
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Generate SLSA metadata
|
|
id: slsa
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
env:
|
|
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
|
|
echo "hashes=$hashes" >> $GITHUB_OUTPUT
|
|
|
|
release-provenance:
|
|
needs: [release-flagger]
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
permissions:
|
|
actions: read # for detecting the Github Actions environment.
|
|
id-token: write # for creating OIDC tokens for signing.
|
|
contents: write # for uploading attestations to GitHub releases.
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
|
|
with:
|
|
provenance-name: "provenance.intoto.jsonl"
|
|
base64-subjects: "${{ needs.release-flagger.outputs.hashes }}"
|
|
upload-assets: true
|